Threat of the Week: Mobile DDoS

The image is starkly frightening. Picture tens of millions essentially unprotected mobile phones and tablet computers that are conscripted by cyber crooks into a zombie botnet army and put to work overwhelming your credit union’s network with meaningless data in a mobile Distributed Denial of Service attack.

But here’s the question: is this science fiction or fact?

Experts disagree.

It’s undisputed fact that most mobile devices have no meaningful protection against viruses and malware. But, beyond that, the mobile DDoS story is marked by substantial disagreements.

Sounding the alarm is Javelin Research’s senior analyst for security Al Pascual who, in a press statement, said: “FIs and other organizations with a vested interest in the security of the mobile channel will be best served through a partnership with security vendors with the goal of increased adoption of mobile security software. Deputizing consumers through education on mobile security threats and encouraging use of anti-malware, firewall protection and other security solutions will have far-reaching benefits.”

In an interview, Pascual elaborated: “Financial institutions need to get into the fight. They are pushing mobile banking very hard. They need to partner with security vendors. They need to get involved with carriers. They need to get involved in helping to make devices more secure.”

He insisted that mobile DDoS attacks are coming in 2013 and “Android will be the most likely target,” mainly because the architecture is fundamentally more open than that of Apple’s iPhone.

Scary as this image is, some experts believe it has all the reality of a prediction of a J.R.R. Tolkien style, full-out Orc attack crippling Washington, DC.

“Mobile DDoS is theoretically possible but the infrastructure isn’t there yet. The cyber criminals are happy with what they now have,” said Steve Santorelli, a spokesperson for security researchers Team Cymru.

Tyler Shields, senior security researcher at Veracode, said there has been a proof of concept of mobile DDoS in the form of several apps that have recently won press attention but, he stressed, “Criminals have no need to create a new, mobile botnet. They have plenty of botnet capacity right now.”

Shields stressed that “the available mobile bandwidth is ramping up” – which indeed makes the idea of harnessing mobile devices to ping a target site into collapse possible – but, like Santorelli, his take is why do criminals need to bother with this? What they have is working, so why invest the time and energy to try to create a wholly new channel?

Ciaran Bradley, a security expert with AdaptiveMobile in Dublin, Ireland, made it three skeptics. “Theoretically it is possible but right now there just are much easier ways to launch DDoS than mobile.”

Santorelli, meantime, stressed: “Mobile DDoS may be coming. Just not now.”

What does a credit union need to do about mobile DDoS today? It’s your call. Every expert agrees it is a potentially interesting attack – but most seem persuaded that, for now, financial institutions are better advised to put their resources into protecting against other forms of attack such as classic DDoS initiated via infected zombie networks.